mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 08:05:21 +00:00
Code Issues Releases Wiki Activity

Check the cache as well when glue NS are returned processing RPZ

Browse Source
This commit is contained in:
Mark Andrews
2022-05-04 17:08:27 +10:00
parent 07c828531c
commit 8fb72012e3
1 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
lib/ns/query.c
View File

@@ -4006,6 +4006,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
dns_rpz_have_t have; dns_rpz_have_t have;
dns_rpz_popt_t popt; dns_rpz_popt_t popt;
int rpz_ver; int rpz_ver;
unsigned int options;
#ifdef USE_DNSRPS #ifdef USE_DNSRPS
librpz_emsg_t emsg; librpz_emsg_t emsg;
#endif /* ifdef USE_DNSRPS */ #endif /* ifdef USE_DNSRPS */
@@ -4256,7 +4257,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
dns_fixedname_init(&nsnamef); dns_fixedname_init(&nsnamef);
dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
options = DNS_DBFIND_GLUEOK;
while (st->r.label > st->popt.min_ns_labels) { while (st->r.label > st->popt.min_ns_labels) {
bool was_glue = false;
/* /*
* Get NS rrset for each domain in the current qname. * Get NS rrset for each domain in the current qname.
*/ */
@@ -4270,10 +4273,10 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
if (st->r.ns_rdataset == NULL || if (st->r.ns_rdataset == NULL ||
!dns_rdataset_isassociated(st->r.ns_rdataset)) { !dns_rdataset_isassociated(st->r.ns_rdataset)) {
dns_db_t *db = NULL; dns_db_t *db = NULL;
result = rpz_rrset_find( result = rpz_rrset_find(client, nsname,
client, nsname, dns_rdatatype_ns, dns_rdatatype_ns, options,
DNS_DBFIND_GLUEOK, DNS_RPZ_TYPE_NSDNAME, &db, DNS_RPZ_TYPE_NSDNAME, &db, NULL,
NULL, &st->r.ns_rdataset, resuming); &st->r.ns_rdataset, resuming);
if (db != NULL) { if (db != NULL) {
dns_db_detach(&db); dns_db_detach(&db);
} }
@@ -4281,8 +4284,10 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
goto cleanup; goto cleanup;
} }
switch (result) { switch (result) {
case ISC_R_SUCCESS:
case DNS_R_GLUE: case DNS_R_GLUE:
was_glue = true;
FALLTHROUGH;
case ISC_R_SUCCESS:
result = dns_rdataset_first(st->r.ns_rdataset); result = dns_rdataset_first(st->r.ns_rdataset);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
goto cleanup; goto cleanup;
@@ -4321,6 +4326,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
continue; continue;
} }
} }
/* /*
* Check all NS names. * Check all NS names.
*/ */
@@ -4371,7 +4377,17 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
result = dns_rdataset_next(st->r.ns_rdataset); result = dns_rdataset_next(st->r.ns_rdataset);
} while (result == ISC_R_SUCCESS); } while (result == ISC_R_SUCCESS);
dns_rdataset_disassociate(st->r.ns_rdataset); dns_rdataset_disassociate(st->r.ns_rdataset);
st->r.label--;
/*
* If we just checked a glue NS RRset retry without allowing
* glue responses, otherwise setup for the next name.
*/
if (was_glue) {
options = 0;
} else {
options = DNS_DBFIND_GLUEOK;
st->r.label--;
}
if (rpz_get_zbits(client, dns_rdatatype_any, if (rpz_get_zbits(client, dns_rdatatype_any,
DNS_RPZ_TYPE_NSDNAME) == 0 && DNS_RPZ_TYPE_NSDNAME) == 0 &&